Under the Radar 13: External Dependencies
◼
►
welcome to under the radar a show about
◼
►
independent iOS app development I'm
◼
►
Marco Arment and I'm David Smith under
◼
►
the radar is never longer than 30
◼
►
minutes so let's get started so today we
◼
►
wanted to unpack the situation that
◼
►
occurred I guess it was the end of our
◼
►
beginning of this week end of last week
◼
►
something like that where parse a fairly
◼
►
widely used platform for app backends
◼
►
design announced that they will be
◼
►
shutting down and the while the actual
◼
►
situation and the nuances of that aren't
◼
►
particularly like generally applicable
◼
►
they're interesting the actual sort of
◼
►
the fundamentals of that of having this
◼
►
big general-purpose flat platform that
◼
►
was used by lots of apps finally
◼
►
shutting or deciding it was going to
◼
►
shut down has a lot of knock-on effects
◼
►
that are probably worth unpacking before
◼
►
we dive into that app robbing sense to
◼
►
just sort of talk about what parse was
◼
►
and so parse was this platform that made
◼
►
and relatively easy to make a back-end
◼
►
for your application that would do
◼
►
object persistence user management
◼
►
things like that like a very basic
◼
►
high-level like non specific to a
◼
►
particular industry back-end sort of
◼
►
system that a lot of apps could use and
◼
►
it had fairly attractive pricing and
◼
►
including a free tier which is always a
◼
►
bit of a trap for these kinds of things
◼
►
where you can say oh we can use it for
◼
►
free and if our app gets really
◼
►
successful then we only then what we
◼
►
have to pay an advantage a couple years
◼
►
ago was bought by Facebook which it made
◼
►
everyone who is using it kind of happy
◼
►
because oh now it's not this sort of
◼
►
fly-by-night thing it's backed by you
◼
►
know this major corporation but now it's
◼
►
ship being shut down Facebook has
◼
►
decided that that's not something that
◼
►
they want to invest in and continue to
◼
►
maintain and so a year from now they are
◼
►
going to be turning it off they're doing
◼
►
it pretty well like they're getting a
◼
►
year's notice and a bunch of migration
◼
►
tools but at the end of the day this
◼
►
thing that I've heard varying reports
◼
►
but you know at least I think it's fair
◼
►
to say a quite a lot of apps make use of
◼
►
at least in part he's just gonna be
◼
►
turned off and as a result the apps that
◼
►
use it if they haven't been updated or
◼
►
migrated are just going to stop working
◼
►
and that's kind of tricky yeah I think
◼
►
one of the weird things about this is
◼
►
like you know kind of ties back to app
◼
►
in order for these apps to continue
◼
►
working it has to be worth their
◼
►
developers time and and their developers
◼
►
have to have the budget to now do a
◼
►
noticeable update and you know they've
◼
►
made it relatively easy they've released
◼
►
big parts of their service as open
◼
►
source that you could just install at
◼
►
any server microsoft azure has started
◼
►
trying to attract people to migrate to
◼
►
them and they're making a little bit
◼
►
so there are migration options here that
◼
►
aren't gonna be incredibly work heavy
◼
►
but it is still work you have to still
◼
►
do an update there are going to be
◼
►
things you have to change and rewrite
◼
►
and so it has to be worth that happening
◼
►
by the by the apps developers so if
◼
►
you're relying on an app that uses this
◼
►
that hasn't updated in a long time that
◼
►
might never be updated for this it might
◼
►
never be worth somebody's time to update
◼
►
it and that's unfortunate and that that
◼
►
is going to cause a lot of problems in
◼
►
the app stores these apps was kind of
◼
►
slowly you know collect 1 star reviews
◼
►
and stopped working and and they just
◼
►
kind of live as zombies forever yeah and
◼
►
so as developers when I see something
◼
►
like this like I said like the a the
◼
►
specifics of the PAR situation are sort
◼
►
of inch vaguely and or like
◼
►
intellectually interesting but aren't
◼
►
actually practically that interesting
◼
►
but what it makes me think about is it
◼
►
makes me evaluate the dependencies that
◼
►
I have in my own apps and as I build
◼
►
apps and increasingly a fewer and fewer
◼
►
of the things that I've built have no
◼
►
web component whatsoever because the
◼
►
feel seems like these days like you're
◼
►
gonna need some kind of back-end for
◼
►
your application either something like
◼
►
parse or you know that's sort of like
◼
►
off the shelf or something you build
◼
►
yourself and you're probably gonna need
◼
►
these for at least one of three reasons
◼
►
like you're gonna need some kind of your
◼
►
apps probably going to do something
◼
►
back-up related or people are if they're
◼
►
people are putting any amount of data
◼
►
into your application they're probably
◼
►
going to want to be able to have it
◼
►
backed up and this is something that for
◼
►
a long time I used to ever say oh I rely
◼
►
on like the iTunes iCloud backup system
◼
►
but that is all kinds of problems and
◼
►
issues that you'll run into where like I
◼
►
have a recipe manager and I ran into
◼
►
issues where like their recipes were
◼
►
fully backed up in like the latest
◼
►
backup that they did but they
◼
►
accidentally deleted the app and so now
◼
►
get their recipes back is to do a full
◼
►
restore of an old backup on to their
◼
►
device potentially destroying newly like
◼
►
newer data on in other apps and things
◼
►
like it's a mess so you wanna be able to
◼
►
backup your data or you want to be able
◼
►
to sync your data between different
◼
►
devices so you'll need some kind of
◼
►
back-end to do that or you just have an
◼
►
app that has like a core service like
◼
►
obviously like I imagine an overcast you
◼
►
need a back-end or this you're like a
◼
►
lot of what you do wouldn't work if you
◼
►
didn't have some kind of back-end to run
◼
►
for it oh sure I mean you know there are
◼
►
podcast apps that don't use server-side
◼
►
backends like as intermediaries and just
◼
►
crawl feeds directly and everything but
◼
►
that's not how I built mine and and it
◼
►
affords me a bunch of advantages to have
◼
►
done it the way I do it but now I have
◼
►
this big dependency I'm on my surface
◼
►
yeah and I think ultimately like that's
◼
►
the right word like at the end of it
◼
►
building these backends that are maybe
◼
►
they aren't always required but are
◼
►
going to be required in a lot of cases
◼
►
like the biggest thing that I think this
◼
►
situation is instructive for is making
◼
►
us aware of the things that were
◼
►
dependent on and that our apps are
◼
►
dependent on because we're always gonna
◼
►
be dependent on something it seems like
◼
►
there's no way to really say like ok I'm
◼
►
gonna be completely independent because
◼
►
ultimately you're gonna be like I'm very
◼
►
reliant on Apple for example and iOS
◼
►
like if if Apple announced you know
◼
►
tomorrow that hey we've decided you know
◼
►
this iOS thing isn't really working out
◼
►
we're just gonna turn it off like we're
◼
►
just gonna stop making iPhones I'm not
◼
►
saying it's likely but if they did my
◼
►
apps would stop working like in the same
◼
►
way that if parse decide you know to
◼
►
going away meant that absolute relied on
◼
►
it go away like or maybe a more
◼
►
practical example for like i-4 on the
◼
►
Apple side of things as if they decide
◼
►
like you know what cloud kit isn't
◼
►
working out we're gonna turn that off or
◼
►
those types of things or like I rely on
◼
►
my hosting provider I post all my own
◼
►
all my Linux servers online out and you
◼
►
know if they decide they're gonna go out
◼
►
or they go out of business or they
◼
►
decide they're not gonna do the kind of
◼
►
hosting that I need anymore
◼
►
suddenly like I'm in a big bit of a bind
◼
►
and so like there's no way to avoid
◼
►
being dependent you're always dependent
◼
►
but like you can there's a lot of
◼
►
dependencies that you kind of have some
◼
►
choice in like do i want to be so wed to
◼
►
a particular platform or back-end or
◼
►
system or do i want to be a bit more
◼
►
flexible and do you know Bujji it ends
◼
►
up like the more custom you make it and
◼
►
how much of it you control you're gonna
◼
►
have more like Portability and be able
◼
►
to be like you know if this particular
◼
►
host goes away I can just get another
◼
►
one and your how to be able to look at
◼
►
the trade-offs and make more choices
◼
►
than if you're just all in on one thing
◼
►
that's when you start to get a little
◼
►
bit awkward yeah and that's why I like
◼
►
the the selection of what you depend on
◼
►
this this is why I'm usually very
◼
►
conservative with these you know
◼
►
obviously I try to minimize how many
◼
►
external services and companies and
◼
►
things I depend on but you know the
◼
►
betterment something as you said this is
◼
►
why I always try to choose as
◼
►
conservatively as possible so like yeah
◼
►
Apple could shut down the entire App
◼
►
Store and that would that would really
◼
►
be disruptive for us but that's very
◼
►
unlikely like the apps the app stores
◼
►
continued success is pretty important to
◼
►
Apple as well so I've aligned my
◼
►
incentives with this now pretty old and
◼
►
pretty important thing to its parent
◼
►
company that like it is very unlikely
◼
►
that Apple's Apple will do that and
◼
►
that'll be a problem for me
◼
►
Facebook shutting down parse this thing
◼
►
they bought did not have that kind of
◼
►
luxury like if you were a parse customer
◼
►
six months ago you're like looking
◼
►
evaluating this this dependency Facebook
◼
►
it isn't that important to Facebook to
◼
►
keep this running so that this this was
◼
►
foreseeable that like this was a high
◼
►
risk of happening that this company made
◼
►
this service it got big got bought the
◼
►
parent company didn't really depend on
◼
►
its continued operation for their core
◼
►
strategy so this was always gonna be a
◼
►
risk right so you know if if Linode I
◼
►
know however we're supposed to be
◼
►
pronouncing it I sale I know do you sale
◼
►
I know they say Linode if if that
◼
►
particular Linux VPS host gets shut down
◼
►
well that's unlikely because they're
◼
►
really big and they're they've been
◼
►
around a while but even if that happens
◼
►
migrating away from that is not that big
◼
►
of a problem because there are other
◼
►
Linux VPS hosts just like it and they
◼
►
and if if every Linux VPS host went away
◼
►
you could get a Linux server somewhere
◼
►
that behaved very similarly you know if
◼
►
every Linux server provider went away
◼
►
you could add as a last ditch run one in
◼
►
your house like you shouldn't but you
◼
►
could like in this so like the the
◼
►
transition options away from something
◼
►
are also very important like parse
◼
►
shutdown they did a decent thing here
◼
►
where they they open sourced a big part
◼
►
of their of their server and made it
◼
►
like installable on your own stuff but
◼
►
what if they didn't do that lots of
◼
►
things shut down and never do that
◼
►
because they just either can't or won't
◼
►
or don't feel like it so you know if
◼
►
let's suppose suppose you depend on an
◼
►
Amazon Web service for your business and
◼
►
Amazon shuts that down most of the time
◼
►
that is very hard to replace because
◼
►
they are so custom and proprietary you
◼
►
can't just kind of do your own thing if
◼
►
you dependent on any kind of like high
◼
►
level service like this then it is it is
◼
►
always a risk the the more like custom
◼
►
and proprietary and high level something
◼
►
is the risk of it being hard to replace
◼
►
if it ever does go away increases yeah
◼
►
and I think that's ultimately probably
◼
►
like the enticement and why it's this
◼
►
weird tension that you find yourself in
◼
►
as you're developing a service or as
◼
►
you're thinking about a feature you're
◼
►
saying like if I do it with this high
◼
►
level can't like constructor that this
◼
►
company's providing I can save myself a
◼
►
lot of time upfront because I'm not
◼
►
having to build that again you know I'm
◼
►
saying like if if there's this solution
◼
►
that they've come up with that like
◼
►
means that you know user authentication
◼
►
it's just like a thing that I can just
◼
►
ruff like plug into my app and it
◼
►
handles all the give a secure password
◼
►
storing and email resets and all that
◼
►
kind of stuff like say there's a service
◼
►
that does that off-the-shelf like that's
◼
►
you know days weeks months of time that
◼
►
you weren't spending building that thing
◼
►
that instead you're just kind of more
◼
►
integrating directly into your
◼
►
application and so like it's enticing
◼
►
and like you're getting this enticement
◼
►
at the benefit of that upfront time but
◼
►
it's sort of at the detriment of this
◼
►
this risk that you're increasing in your
◼
►
maybe that makes sense like if you're
◼
►
just kind of prototyping something and
◼
►
throwing it out there or you aren't in a
◼
►
situation that's very time limited that
◼
►
you have to you know you if you don't
◼
►
ship your app in a month it's you're
◼
►
gonna miss some kind of market window or
◼
►
opportunity that or like that's the only
◼
►
amount of like you just have that much
◼
►
money to make a run at it and you just
◼
►
kind of have to then great like it's
◼
►
there's nothing bad about those types of
◼
►
things but it's this weird tension that
◼
►
you're finding of like because you're so
◼
►
locked in at that point you're setting
◼
►
yourself up for difficulty down the road
◼
►
because it's not necessarily like you're
◼
►
it's like short-term benefit and like
◼
►
long-term pain because you know
◼
►
developing it yourself there's also
◼
►
long-term pain it's a different kind of
◼
►
pain but like you have to then be the
◼
►
one who's maintaining it or when
◼
►
security issues happen you know you have
◼
►
to could be you're the one going in and
◼
►
patching your web server or you're the
◼
►
Linux distribution you're installing on
◼
►
your servers or whatever like you're you
◼
►
know at some point there's always the
◼
►
long-term challenges with these things
◼
►
but the difficult the difference is more
◼
►
one of your totally locked in and at the
◼
►
whim of whatever that company is and
◼
►
unless you're their biggest customer
◼
►
which for the kind of people who I
◼
►
imagine listen to a show like this
◼
►
you're unlikely to be a service
◼
►
providers made like biggest customer
◼
►
you're just gonna be kind of like rah
◼
►
you know sort of wash back and forth
◼
►
based on whatever makes sense for them
◼
►
and that may or may not be something
◼
►
that or a position that you find
◼
►
yourself in that you'd be comfortable
◼
►
with this episode of under the radar is
◼
►
brought to you by hover quite simply
◼
►
hover is the best way to buy and manage
◼
►
domain names when it comes to buying a
◼
►
domain name hover is the first place I
◼
►
check now when you have an idea for a
◼
►
project naming it can be difficult when
◼
►
you finally get that name you want to be
◼
►
able to quickly and easily get the
◼
►
domains that you need hover provides a
◼
►
simple fast and hassle-free method of
◼
►
buying domains I don't want to be faced
◼
►
with a thousand screens and all these
◼
►
add-ons high prices all these like
◼
►
custom weird services that seem kind of
◼
►
like scams I just want to get in it's
◼
►
like what I need buy it and get on with
◼
►
my life and building my new idea hover
◼
►
makes us very very easy
◼
►
their search is very nice it suggests
◼
►
things for you if nothing's available
◼
►
they can search all the TL DS all the
◼
►
crazy new ones in addition to all the
◼
►
and they have dot-com domain starting at
◼
►
just $12.99 a year great prices on all
◼
►
the other ones as well all these include
◼
►
Whois privacy for free with every hover
◼
►
domain because they believe that you
◼
►
shouldn't have to pay extra for
◼
►
something like that that's you know
◼
►
obviously you want to keep your private
◼
►
information private that's one have
◼
►
fantastic customer support if you want
◼
►
to call them they have a no hold no wait
◼
►
no transfer telephone support policy
◼
►
when you call them you talk to an actual
◼
►
human being not a robot not a menu you
◼
►
don't have to say like operator like the
◼
►
stupid speak menus it's a real human
◼
►
being you can just talk to directly they
◼
►
pick up the phone and if you do of
◼
►
course prefer the robots they also have
◼
►
great support documents and support
◼
►
guides and their website for getting
◼
►
everything you need and you can email
◼
►
them as well if you'd like and they also
◼
►
have a valid transfer service where they
◼
►
can take all the hassle out of switching
◼
►
from your current provider so because
◼
►
they do it all for you you can just give
◼
►
them your login to your old provider and
◼
►
they will transfer names for you if
◼
►
you'd like all that for free of course
◼
►
they have so much more great stuff they
◼
►
have volume discounts they have custom
◼
►
email addresses storage and forwarding
◼
►
and so much more stuff check it out
◼
►
use code perspective at checkout that is
◼
►
once again code perspective at checkout
◼
►
and you will get 10% off your first
◼
►
purchase at hover comm and you will show
◼
►
your support for under the radar and all
◼
►
of real afm thank you very much to hover
◼
►
for sponsoring this episode so it seems
◼
►
like we should probably also dive now
◼
►
dive into kind of like what we do how we
◼
►
approach this because I think we both
◼
►
have found ourselves at the end of the
◼
►
like the thought process on how we
◼
►
should bake backends for our servers
◼
►
with the like well we're gonna build
◼
►
them ourselves and we're gonna build
◼
►
custom applications running on you know
◼
►
Linux VPS is that we use and probably
◼
►
worth saying why we kind of do that I
◼
►
mean to me it's it's you know first of
◼
►
all it's all about control for me I'm a
◼
►
control freak and I want to do
◼
►
everything myself and I want I want I
◼
►
want everything to be under my control
◼
►
because I don't want to have major parts
◼
►
of my roadmap dictated by a dumb change
◼
►
in my host that oh all of a sudden this
◼
►
entire thing I depend on is shutting
◼
►
down and I got to change that like you
◼
►
know Apple give us enough of those
◼
►
things we don't you know the with like
◼
►
new device releases and everything but
◼
►
those are you know kind
◼
►
an unavoidable part of working with
◼
►
Apple but when it comes to running your
◼
►
services you control a lot more of that
◼
►
and you can avoid those things and so I
◼
►
love that part of it and for me it's
◼
►
also it's also a lot about capability
◼
►
and and cost in a low cost and and and
◼
►
just being able to do a lot cloud kit is
◼
►
very appealing in a lot of ways and if I
◼
►
was making the new app today I would
◼
►
think very hard about how about whether
◼
►
I could just do it all in cloud kit and
◼
►
whether that'll be the right move for me
◼
►
but it is still limited in what it can
◼
►
and and so for me like a website or like
◼
►
a regular Linux back-end is the default
◼
►
for me I know how to do it it really
◼
►
isn't that hard which we'll get into in
◼
►
a little bit it really isn't that hard
◼
►
and it's it is surprisingly capable for
◼
►
surprising little cost yeah exactly I
◼
►
think there's the reasons are fairly
◼
►
similar for me like I like I think the
◼
►
thing that I like most is being able to
◼
►
tailor the backend of my application to
◼
►
not necessarily the application but it's
◼
►
tailored to the way that I think and the
◼
►
way that I solve problems in the way
◼
►
that I'm thinking about like the
◼
►
problems that are being solved in my app
◼
►
so when I'm dealing with something like
◼
►
sink like the generic term for like one
◼
►
of the hardest problems in computer
◼
►
science I like that I can like so I'm
◼
►
solving that problem in a way that makes
◼
►
sense to me that I'm not having to kind
◼
►
of shoehorn my application in the way I
◼
►
think about it into the model that a
◼
►
service provider provides and they say
◼
►
like well you know we handle conflict
◼
►
resolution using like last last updated
◼
►
wins or something like that and like
◼
►
maybe that works maybe it doesn't
◼
►
and so when you build your app builder
◼
►
yourself like I actually understand it
◼
►
like I have to go I've gone through and
◼
►
I've made the decisions at the various
◼
►
levels of like well I want this to work
◼
►
this way I want this to work that way
◼
►
and so then down the road when I'm
◼
►
debugging something and I have a better
◼
►
understanding of how how I expected to
◼
►
work and when things go wrong I have a
◼
►
sense of where they're made might be
◼
►
going wrong like is this an app problem
◼
►
is this a web service problem and like
◼
►
ultimately it probably also just like
◼
►
makes my apps better and makes me a
◼
►
like having this breath of experience
◼
►
that at this point like I can build
◼
►
something all the way from like the UI
◼
►
and the application the business logic
◼
►
inside of the application and then all
◼
►
the way through to like the you know
◼
►
then the web service that's managing
◼
►
that information and a database at the
◼
►
back that's storing that information
◼
►
like having being able to do all those
◼
►
things is just like good for me from a
◼
►
career and personal development
◼
►
perspective like I've learned to solve
◼
►
more problems doing it this way that
◼
►
ultimately I think makes me a better
◼
►
developer like I write less my apps are
◼
►
probably better because they're the kind
◼
►
of calls they're making like I know what
◼
►
the server is trying to do with those
◼
►
calls and so you don't end up just like
◼
►
well this is like the naive obvious
◼
►
solution I'll just kind of throw all
◼
►
this data at the server or I'll hey let
◼
►
me just ask for all of it every day all
◼
►
the time and because if the servers are
◼
►
overwhelmed that's not my problem like
◼
►
those are things that ultimately
◼
►
probably make my apps better and like
◼
►
you were saying it is kind of crazy how
◼
►
inexpensive it is to do a lot of these
◼
►
things now like just with a lot of my
◼
►
things are just backed by like two or
◼
►
you know VPS is that cost I mean like at
◼
►
a basic one it's like $20 a month
◼
►
there's something like that twenty forty
◼
►
dollars a month like for a lot of my
◼
►
applications I end up spending you know
◼
►
maybe it's $100 a month in in servers
◼
►
and that's really not too bad for the
◼
►
can of capability in the throughput and
◼
►
the number of users that you can support
◼
►
even with just at that level oh yeah I
◼
►
mean evenly the twenty bucks a month
◼
►
server level on a modern host like line
◼
►
out or digitalocean you can get so much
◼
►
for this for this money now and when
◼
►
you're using boring old fast tools like
◼
►
MySQL or Postgres and you're you have
◼
►
like a modern web language in front of
◼
►
it you know you have even in the old
◼
►
ones PHP Ruby you know like Python or
◼
►
more recently you might have like go you
◼
►
know these these are so fast you can do
◼
►
so much you can support so much usage
◼
►
it's way more than you think because now
◼
►
you know you have these modern
◼
►
processors doing the virtualization you
◼
►
ssds on almost all these hosts now it is
◼
►
incredibly fast to do and so like you
◼
►
you really can support a lot on very
◼
►
little hardware yeah and I think
◼
►
ultimately that makes it a lot easier
◼
►
like it's there the hardest problems
◼
►
I've ever had to solve like the only
◼
►
time I kind of regretted doing backends
◼
►
myself is they were the early days of
◼
►
feed Wrangler my RSS sinking system
◼
►
which like I was doing stuff that in
◼
►
retrospect was really foolish and was
◼
►
just crushing my database like it was
◼
►
just my Postgres database was just
◼
►
constantly dying and falling over and in
◼
►
retrospect it was because I was being
◼
►
you know deserves I've made a few really
◼
►
bad assumptions upfront but even there
◼
►
like that's the only time I've ever
◼
►
really had to do any low-level
◼
►
performance tuning of any of my
◼
►
applications otherwise just out of the
◼
►
box things are just fast and work and
◼
►
it's fine in a way that like it would be
◼
►
problematic if I you know if I really
◼
►
needed to be like a database
◼
►
administrator like a serious like you
◼
►
know DBA whatever they call them these
◼
►
days like doing that kind of work but
◼
►
most of the times I just like install
◼
►
Postgres with the defaults you know
◼
►
tweak a few things how the way I like it
◼
►
and then it's fine and it just runs
◼
►
quickly enough for you know that my
◼
►
users don't even really notice any kind
◼
►
of performance issues or problems yeah I
◼
►
mean like you might think if you've if
◼
►
you haven't done this before or if the
◼
►
last media this was like 10 years ago
◼
►
you might think that running servers
◼
►
requires lots of like low-level tweaking
◼
►
and performance tuning and getting these
◼
►
right config variables to like exactly
◼
►
the right buffer size and everything and
◼
►
you don't really need to do that anymore
◼
►
that's very very rare for most people
◼
►
need to get that that down into the
◼
►
nitty gritty stuff it really is like as
◼
►
you said that you can just install these
◼
►
things with the defaults and usually
◼
►
that's usually what you need to do
◼
►
because everything is just so good now
◼
►
there's so much Headroom the software is
◼
►
very mature and a lot of these things
◼
►
and and the hardware isn't very mature
◼
►
to so it you really get a lot of weight
◼
►
with just the defaults now and I think
◼
►
if you think one thing that I was kind
◼
►
of looking forward to when we got it got
◼
►
into this topic is you said you had a
◼
►
few little pro tips for getting into
◼
►
this kind of administer
◼
►
because I think it is it can be a little
◼
►
bit intimidating to it's like you know
◼
►
like go and install Linux even then you
◼
►
starts like well what version of Linux
◼
►
how to get started and it's remember a
◼
►
bit being a little intimidating but at
◼
►
least like what the fun thing is once
◼
►
you get going like there's tremendous
◼
►
resources and you can just kind of get
◼
►
going and once you know it you know it
◼
►
because this stuff doesn't really change
◼
►
yeah basically like Google is your
◼
►
friend you know not not the corporate
◼
►
structure but you know the search engine
◼
►
its SEC overflow like all these things
◼
►
these are your friend because lots of
◼
►
people have been running Linux servers
◼
►
for years and as you said the tools and
◼
►
the commands and what you need to do
◼
►
doesn't change very often usually
◼
►
typically that you learn this stuff like
◼
►
once and you have to learn something new
◼
►
maybe every two years like it's it's
◼
►
pretty it's pretty stable it doesn't
◼
►
change much so number one tip I can give
◼
►
is to pick a very popular but somewhat
◼
►
conservative Linux distribution to do
◼
►
this with four years I recommended sent
◼
►
to us which was basement right Hat
◼
►
Enterprise Linux I think today I think
◼
►
Ubuntu might have more momentum behind
◼
►
it so I actually just I just managed my
◼
►
first Ubuntu server recently and it's
◼
►
it's things are a little bit different
◼
►
but I was able to figure it out
◼
►
so between sent OS and Ubuntu you can't
◼
►
really go wrong turn on auto updates for
◼
►
as much of a system software as it makes
◼
►
sense to do that for usually every major
◼
►
district has a way to do this it's very
◼
►
straightforward that will take care of
◼
►
most security problems for you if you
◼
►
basically are not an idiot which you're
◼
►
not trust me you know if you're not an
◼
►
idiot and if you leave things mostly at
◼
►
their defaults with the distro and what
◼
►
it comes with modern Linux distros are
◼
►
very secure by default because they know
◼
►
that that matters like the default
◼
►
matter so they've all adopted pretty
◼
►
conservative and pretty secure defaults
◼
►
for the most part keeping things updated
◼
►
automatically is very easy and things
◼
►
like that on a other high level stuff
◼
►
only run the software that you need to
◼
►
be running and they're all very good at
◼
►
letting you manage this so like if you
◼
►
have a server that you have your website
◼
►
on don't also install like well let me
◼
►
install FTP so I can like trade files
◼
►
with my friends like no just leave that
◼
►
off that's just of just a liability it
◼
►
you know install what you need to
◼
►
install and if you want to play around
◼
►
with different things you can create a
◼
►
second VPS for like five or ten bucks a
◼
►
month and play around on that don't play
◼
►
around in your main servers run only
◼
►
what you need to be running on them take
◼
►
advantage of the built in isolation in
◼
►
Linux machines especially with regard to
◼
►
networking almost every service that
◼
►
you'll be running will have some kind of
◼
►
like listening port where you can say
◼
►
alright this database should listen on
◼
►
this interface on this port if you only
◼
►
have one server make this make the
◼
►
internal stuff listen on localhost so
◼
►
that you can't log into MySQL from
◼
►
outside like you shouldn't need to do
◼
►
that anyway you should be doing things
◼
►
on the server if you need you know
◼
►
management stuff lock that down if you
◼
►
have multiple servers use use private
◼
►
networking every host that's worth their
◼
►
salt support the private networking
◼
►
between your between your own machines
◼
►
so if you have multiple servers need to
◼
►
talk to each other have them talk to
◼
►
each other only over private interfaces
◼
►
have things like MySQL or memcache
◼
►
listen-only on private or our local
◼
►
interfaces that helps a lot just make it
◼
►
don't don't rely on like being your
◼
►
password secure make it so that
◼
►
passwords don't even work from the
◼
►
outside so that also applies to things
◼
►
like SSH when you're doing login remote
◼
►
login so disable root logins once you
◼
►
have a user set up had that user have
◼
►
sudo access with the password and then
◼
►
that user account that you're logging in
◼
►
as say you're logging in as David make
◼
►
that the only user that can log in via
◼
►
SSH and make that key authentication
◼
►
only disable password authentication in
◼
►
SSH this is very simple stuff to do you
◼
►
can Google how to do it so that right
◼
►
there you have no way to log in with a
◼
►
password you have to have the the
◼
►
encryption key to log in that knocks out
◼
►
massive you know brute force
◼
►
possibilities and everything that helps
◼
►
so so much between that and private
◼
►
networking for private services you
◼
►
really eliminate a lot of problems now
◼
►
moving on slightly to user data collect
◼
►
as little user data as possible to get
◼
►
your job done because worst case
◼
►
scenario somebody hacks into your server
◼
►
worst case scenario they take your
◼
►
database what do they have think about
◼
►
it when you're designing your when
◼
►
you're designing your database you're
◼
►
designing your service what information
◼
►
do you really need from people and what
◼
►
can you get away with not having
◼
►
if you don't need to get people's email
◼
►
addresses don't get their email
◼
►
addresses if you like if you're taking
◼
►
passwords from people hash those so that
◼
►
you know people aren't getting like just
◼
►
the md5 like for God's sake don't do
◼
►
that like you know use secure password
◼
►
hashing like be Krypton strong settings
◼
►
there is lots of good practices for this
◼
►
lots of things to tell you how to do
◼
►
this I've considered even for overcast
◼
►
like I do have the email addresses for
◼
►
people because I figure yeah I need to
◼
►
be able to I have email addresses and I
◼
►
have hashed passwords with a strong
◼
►
bcrypt but I'm like I've been thinking
◼
►
recently do I even need the email
◼
►
address could I could I have that too
◼
►
cuz then then you have like if you steal
◼
►
my database you just have no email
◼
►
addresses like that would be amazing and
◼
►
I was thinking like the only if you hash
◼
►
the email address so it works just like
◼
►
that you like the password basically
◼
►
then you could still have logins you can
◼
►
still have password resets the only
◼
►
thing you really can't do is I can't
◼
►
like email people randomly out of my
◼
►
database but I've never done that I
◼
►
don't send a newsletter I don't do it
◼
►
like I don't do any that stuff so you
◼
►
think about just like what data you have
◼
►
what you're collecting and what you can
◼
►
afford not to collect simple security
◼
►
measures beyond that you know you should
◼
►
have database backups you should also be
◼
►
encrypting those backups there's
◼
►
built-in stuff there's a crypt command
◼
►
you can pipe thar through and everything
◼
►
like this really simple stuff on unix to
◼
►
do all this very securely make sure
◼
►
though that you are testing these
◼
►
backups make sure you can decrypt them
◼
►
it's so that's very important don't
◼
►
store the encryption key only on the
◼
►
server because then if that server gets
◼
►
wiped or gets lost or whatever you've
◼
►
lost your data and your backup
◼
►
decryption key that's no good one
◼
►
strategy I employ there is I write my
◼
►
database backups I copied them onto a
◼
►
write only s3 account so like the the
◼
►
account the credentials that are on the
◼
►
machines can only write to the bucket
◼
►
they can't read or delete from it so
◼
►
that way if somebody hacked into the
◼
►
machine they can't also go and delete on
◼
►
my backups so I have a separate you know
◼
►
separate credentials that I can that I
◼
►
can pull the backups off of there and
◼
►
restore that never live on my servers
◼
►
those those stay like with me and my
◼
►
personal documents those never live on
◼
►
the servers so you know keep things as
◼
►
secure and separate as you can just by
◼
►
design like this and that's really about
◼
►
it for basic security stuff it really is
◼
►
as you think and you don't have to do
◼
►
very much you don't have to like
◼
►
constantly keep on top of your servers
◼
►
and be constantly baby suddenly for the
◼
►
most part you set it up and it basically
◼
►
runs itself and if you set it up with
◼
►
sensible default using conservative
◼
►
software and some basic security
◼
►
settings like what I've said here
◼
►
you can be pretty much fine yeah exactly
◼
►
and I think that it's the kind of thing
◼
►
that if you can't do this kind of thing
◼
►
and if like if everything that Marco
◼
►
just ran through like is complete
◼
►
gibberish to you like you should
◼
►
probably do something about that it's a
◼
►
good it's an important skill to be a
◼
►
developer to understand some of these
◼
►
basics they sort of like the
◼
►
fundamentals that run the internet like
◼
►
you should understand what this is and
◼
►
you know just sort of take control of
◼
►
that and you know I just I just get a
◼
►
five-dollar like VPS somewhere and start
◼
►
messing around and start seeing you know
◼
►
learning cuz that's how most people even
◼
►
people learn this stuff you just start
◼
►
doing it and you get better at it
◼
►
alright we're out of time this week
◼
►
thanks for listening everybody and next
◼
►
week we're gonna go into a little more
◼
►
detail about our server setups lessons
◼
►
we've learned and how to minimize the
◼
►
workload we'll see you next week okay